Am 22.04.2012 21:49, schrieb Reindl Harald: > Am 22.04.2012 21:38, schrieb Michael Heydekamp:
>> Didn't know that. But how can a different user on a different machine have >> the same session ID (if not by random)? Is there any way to a) get hold of >> the ID of any other user's session, and b) to take influence on his own >> session ID in a way that he would identify himself with the same ID? > > what do you think how long it takes to write a cookie like this? > the only interesting is > "roundcube_sessauth=S1168d2474c3b543053461d00f9c8b1a1b1764905" > > beeing in a open WLAN without ssl and anybody can fake it in seconds Ok, typing it is not a big deal, but how can he get hold of the ID of any user in the same WLAN within seconds? And: If he can do that, isn't faking the User-Agent even an easier deal? > Cookie: mailviewsplitterv=244; mailviewsplitter=262; > composesplitterv=175; prefsviewsplitter=195; > folderviewsplitter=300; addressviewsplitter=250; > addressviewsplitterd=200; identviewsplitter=300; > tl_webmail_sessid=vpxiRqxOLDa%2CM7gMP81eB2hPPc1; > roundcube_sessauth=S1168d2474c3b543053461d00f9c8b1a1b1764905 This looks as if the pane sizes (= splitters) would indeed be saved in a simple cookie. That explains why they sometimes get lost here. Is there no way to save them permanently (machine-specific, of course)? Could be a database entry connected to the NIC, IMHO. -- Michael Heydekamp Co-Admin freexp.de Düsseldorf/Germany _______________________________________________ Roundcube Users mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/users
